Those WhatsApp group chats that your friends are constantly adding you to aren’t just annoying. They can also be dangerous.
Check Point Research says it found WhatsApp security flaws that allow other people in a group chat to put digital words in your mouth, meaning someone could make it look as if you said, “Ed Sheeran is the greatest singer of all time,” even though you clearly didn’t.
According to the research, someone could either use the WhatsApp “quote” feature in a group conversation to “change the identity of the sender, even if that person is not a member of the group,” or they could “alter the text of someone else’s reply, essentially putting words in their mouth.” (If you’re looking for an explainer on the technical side of how the attack works, TNW has a good one.)
As my colleague Michael Grothaus put it, this security flaw is basically a deepfake for WhatsApp—and that could be dangerous. If you think fake quotes attributed to Abraham Lincoln or professing a friend’s fake love of Ed Sheeran are obnoxious but funny, wait until someone threatens to kill someone else for what they send on WhatsApp or some fake quotes by Barack Obama are used to incite violence. We live in frightening times, and this flaw could exacerbate a lot of problems.
The most unsettling part about these security flaws is that Facebook, which owns WhatsApp (in case you like to pretend you forgot), has known about them for a year but reportedly doesn’t believe they’re practical to fix. That’s because WhatsApp uses end-to-end encryption for its chats. While that is a great privacy feature, it makes it tricky for Facebook to intervene in this sort of attack because *cue horror movie music* the attack is coming from inside the encrypted chat. Participants in the group chat can, of course, access the decrypted version of the messages, but Facebook cannot. So it reportedly feels its hands are tied on this one.
We’ve reached out to Facebook for comment and will update if they get back to us with a more detailed explanation.
Update: A Facebook spokesperson responded with the following statement:
“We carefully reviewed this issue a year ago and it is false to suggest there is a vulnerability with the security we provide on WhatsApp. The scenario described here is merely the mobile equivalent of altering replies in an email thread to make it look like something a person didn’t write. We need to be mindful that addressing concerns raised by these researchers could make WhatsApp less private – such as storing information about the origin of messages.”